PT-2026-40975 · Flowiseai+2 · Flowise

Published

2026-05-14

·

Updated

2026-06-11

·

CVE-2026-42861

CVSS v3.1

9.6

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2
Description A mass assignment issue exists in the variable update endpoint '/api/v1/variables/{variableId}'. This allows authenticated users to modify server-controlled properties by including them in the JSON request body, as the backend lacks strict input validation and authorization checks. Specifically, an attacker can manipulate the workspaceId, createdDate, and updatedDate variables. By altering the workspaceId, a user can reassign variables to arbitrary workspaces, which may lead to a bypass of tenant isolation in multi-workspace environments.
Recommendations Update to version 3.1.2.

Exploit

Fix

Improper Access Control

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-42861
GHSA-6FW7-3Q8R-M5VJ

Affected Products

Flowise